[OAUTH-WG] We appear to still be litigating OAuth, oops

On Wed, Feb 24, 2021, at 17:26, Jim Manico wrote: > I think it’s important to point out that OAuth is not an authentication > protocol. It’s for delegation. OAuth is one of the most mis-used protocols on > the modern web. If you really want to support end users, a good place to > start is to mak

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

I think it’s important to point out that OAuth is not an authentication protocol. It’s for delegation. OAuth is one of the most mis-used protocols on the modern web. If you really want to support end users, a good place to start is to make it clear to developers what OAuth is really for so secur

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Cogent argument that brings to focus on the Subject: topic what seemed like a “side” conversation about friendliness of the OAUTH wg. From: ietf On Behalf Of Phillip Hallam-Baker Sent: Tuesday, February 23, 2021 9:47 PM To: Kathleen Moriarty Cc: i...@ietf.org; oauth@ietf.org Subject: R

[OAUTH-WG] Building Real Internet Platforms

Just to +1 and add my bit: in my mind one of the fundamental flaws of the Web is that it is basically a platform construction toolkit, without any of the checks or balances we put into *real* internet platforms to assure that there isn't one chokepoint with all of the power. As a result, it's ti

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

I am worried by the advice 'use OAUTH' but for a very different reason. OAUTH and SAML are both attempts to provide a secure authentication scheme that works within the very particular and very peculiar environment of Web browsers. They are schemes that necessarily involve techniques that are righ

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Okay, now I'm lost, what's the point of this discussion? Is there something we are actively trying to achieve? The email subject is *JMAP's experience with proposing an Authentication model*, sometimes sharing experiences is helpful, but I still lack the goal we are attempting to accomplish by doi

[OAUTH-WG] Auth

Yeah ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Replying to Rifaat's e-mail but not replying to him specifically. Hi folks, I don't think the question of whether OAuth is a good or bad WG group is really a productive one in general, and it's especially hard for me to see how it's going to let us make progress on questions of DEI. This seems li

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

If every client and every server needs to implement "/all the popular mechanisms/" then that's not such a big deal when you're shipping the client code for your own server as part of a website, but it's a big deal if you're trying to create a general client and don't want to have to hard-code

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

On Tue, Feb 23, 2021 at 4:57 PM Mark Nottingham wrote: > > > > On 24 Feb 2021, at 2:20 am, Kathleen Moriarty < > kathleen.moriarty.i...@gmail.com> wrote: > [...] > > And way back when I was AD, OAuth was by far the most productive working > group I managed. They put out what felt like about 3 do

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

> On 24 Feb 2021, at 2:20 am, Kathleen Moriarty > wrote: [...] > And way back when I was AD, OAuth was by far the most productive working > group I managed. They put out what felt like about 3 documents a meeting for > full publication. I was the AD for 3 years, ending in 2017 when EKR bec

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Yeah - the discussion has wandered into the weeds (and I'm largely responsible for this) about whether the way JMAP was proposing doing Authentication was the right way, rather than the meta topic which started this which was "my impression on joining the IETF was that OAuth working group was to

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Bron, I notice that JMAP is a protocol built on top of HTTP. Like JMAP, when the SCIM WG was developing SCIM (RFC7643/7644) we had a lot of participants wanting to define authentication within SCIM too. This in part came from the popular use of the LDAP “bind” feature as a general purpose aut

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

On Tue, Feb 23, 2021 at 9:30 AM Roman Danyliw wrote: > Hi! > > > > *From:* ietf *On Behalf Of * Bron Gondwana > *Sent:* Tuesday, February 23, 2021 7:47 AM > *To:* Rifaat Shekh-Yusef > *Cc:* i...@ietf.org; oauth@ietf.org > *Subject:* Re: Diversity and Inclusiveness in the IETF > > > > On Tue, Fe

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Unfortunately, in the mobile app world this isn't sufficient. On iOS using Universal Links will bind the https redirect_url to your app in a secure way but it doesn't work the same way on Android with App Links. There is still a problem with "mobile app impersonation". If you have an app that y

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Just to add a little context - this is an offshoot of a discussion that's happening over on the ietf@ list: https://mailarchive.ietf.org/arch/msg/ietf/pTFOZjhuZfj45pnUNOr7Pt-YnGc/ On Tue, Feb 23, 2021 at 6:36 AM Warren Parad wrote: > I admit I haven't been present that long in this group, howeve

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi! From: ietf On Behalf Of Bron Gondwana Sent: Tuesday, February 23, 2021 7:47 AM To: Rifaat Shekh-Yusef Cc: i...@ietf.org; oauth@ietf.org Subject: Re: Diversity and Inclusiveness in the IETF On Tue, Feb 23, 2021, at 23:40, Rifaat Shekh-Yusef wrote: So you have never reached out to us to try t

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

I admit I haven't been present that long in this group, however it might help to start at the beginning. So far I see rfc8620 already exists, is there a draft or something else you want to discuss? Are you hoping to introduce a new authentication protocol? An

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

On Wed, Feb 24, 2021, at 00:13, Warren Parad wrote: > Hey Bron, > > (caveat: I only skimmed the other conversation) > > I'm trying to figure out how best to digest your message. I feel like I'm > missing context in your message, is there something about JMAP required > authentication that you'r

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Hey Bron, (caveat: I only skimmed the other conversation) I'm trying to figure out how best to digest your message. I feel like I'm missing context in your message, is there something about JMAP required authentication that you're asking to be considered in OAuth. Help me figure out what I'm miss

[OAUTH-WG] JMAP's experience with proposing an Authentication model

(bringing this back to just the OAuth list) On Tue, Feb 23, 2021, at 23:46, Hannes Tschofenig wrote: > I don’t know whether it is already too late for your document (which is dated > 2016) to consider the use of OAuth but Rifaat and I are happy to put you on > the spot in one of our future virtu

[OAUTH-WG] (no subject)

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Bron, Let me also tell you a personal story. I was in the army in Austria and a commander of a small group. Everyone on the base knew about a pub in the city that was extremely dangerous and, according to stories, you would most likely get stabbed there. I was wondering about that place and

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

On Tue, Feb 23, 2021, at 23:40, Rifaat Shekh-Yusef wrote: > So you have never reached out to us to try to bring any work to the WG, and > based on attending one meeting and hearing from a few people, you formed a > strong opinion and declared that "nothing would get done"? that seems odd. Based

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

So you have never reached out to us to try to bring any work to the WG, and based on attending one meeting and hearing from a few people, you formed a strong opinion and declared that "nothing would get done"? that seems odd. For your information, last year we published 4 RFCs, and we already have

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Without wishing to litigate the entire issue here (happy to remove the wider IETF list and just talk on the OAuth group), we never brought any work to the OAuth group because everybody who we spoke to warned us that nothing would get done. There's a term "missing stair" https://en.wikipedia.org

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Bron, I have to respond to your statements about the OAuth working group below. While we do not pay attention to keeping the charter page up-to-date, we have been able to advance our documents, produce many implementations, and got those deployed all over the Internet. The bar for acceptanc